May 27, 2009 at 20:43:17
Specs: Windows XP
 OK, here's the basics of what is happening:I first noticed an issue when I tried to open mozilla firefox. I got a report that it had previously crashed and given the option to quit or restart it. Either option was unsucessful-I cannot open mozilla. I uninstalled and attempted to re-install mozilla when I ran into the next set of problems. I cannot get to www.google.com. I get the page cannot be displayed message. I went onto the mozilla site in an attempt to re-install the browser, and every link is a redirect wo www.google-analistycs.com/something-something-something-or-other. This also happens on other sites, but not all. I have run my virus scanner, spyware scanner, etc. and cleaned out a few things that came up, but I am still having issues. Thanks for any and all help with this matter, I appreciate your time!JD

#1
May 27, 2009 at 21:03:50

Report •

#2
May 28, 2009 at 00:01:27
 Also Is your Virus scanner and anti Spy ware updated? Want A Weekly Update on Latest System Security Problem http://www.systemsecurityinstitute.org

Report •

#3
May 28, 2009 at 04:10:41

Report •

Related Solutions

#4
May 28, 2009 at 04:12:08

Report •

#5
May 28, 2009 at 04:13:01

Report •

#6
May 28, 2009 at 06:24:50
 Follow these steps:Download and run Kaspersky AVP tool:http://devbuilds.kaspersky-labs.com...Once you download and start the tool select all the objects/places to be scanned and hit Scan. Fix what it detects and at the end of the scan post screenshot/scan-summary log of detected items that is fixed and which it could not fix.--------------------------------------------Donate

Report •

#7
May 28, 2009 at 12:40:01
 OK, I am currently doing this but thought I'd post this so you can see the type of web-address it changes the links to...I was able to pull the real address out of the messed up link.I was going to do a screenshot, but don't know how to post it here....this is the link I recieved:"http://google-analistycs.com/r.php?u=81&b=-2146537337&q=http://devbuilds.kaspersky-labs.com...&s=other&url=http%3A//devbuilds.kaspersky-labs.com/devbuilds/AVPTool/"I'll have that scan summary to you as soon as I can.Jenny D

Report •

#8
May 28, 2009 at 12:45:58
 Post the summary of the scan (detected files).-------------------------------------------------

Report •

#9
May 28, 2009 at 13:15:49
 Forgive me if I am missing something...I downloaded and ran the set-up and have a file folder on my desktop called "virus removal tool". Where do I need to go from here to start the scan?Jenny D

Report •

#10
May 28, 2009 at 13:35:43
 Open the folder and Run .exe. It will start AVP tool.-------------------------------------------------

Report •

#11
May 28, 2009 at 15:28:24
 OK...I have the following items when I open the folder:is-S8C52 (folder)install.tmpLog.bat (MS-DOS Batch file)Scan.bat (MS-DOS batch file)script.bat (MS-DOS batch file)start (shortcut)unins000.dat (DAT file)unins000.exe (Setup/uninstall)When I click on start, nothing happens.I did manage to get the trendmicro scan to go-i figure that's something at least, and that's what it is doing now...while I wait. Thanks for the continued help.Jenny D

Report •

#12
May 28, 2009 at 15:44:58
 Can you please post your AVZ log:Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again.1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as AdministratorYou should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.begin ExecuteStdScr(3); RebootWindows(true); end. Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.Image Tutorial-------------------------------------------------

Report •

#13
May 28, 2009 at 15:45:31
 hiit could be malware or spywaredownload malwarebytes (free edition)andsuperantispyware (free edition)update them and run both (separatly)i have found them both to be good appsgood luck

Report •

#14
May 28, 2009 at 16:41:15
 OK, I am about to do what you said there with AVZ...but just for reference purposes or whatever, I'll share what trendmicro found. They don't create a log...but I copied the information.BKDR_SMALL.JTS (25 INFECTIONS)TROJ_WIMAD.ATTROJ_WIMAD.CGTROJ_KILLAV.AFBKDR_SMALL.KCHTROJ_AGENT.AONTTROJ_SEEKWEL.AOADW_FREEZESCR (2 infections)FREELOADER_SPYWARESTORMERADWARE_180SOLUTIONSOK, off to do the AVZ thing...will post what you asked for as soon as I can!Jenny D

Report •

#15
May 28, 2009 at 16:52:13
 Let me know if you run into any problems creating the log.-------------------------------------------------

Report •

#16
May 28, 2009 at 17:29:31
 OK...so I sucessfully downloaded and ran AVZ...and during the restart, I lost all the icons on my desktop and was left with just my wallpaper. It only does it on my name, other computer users are not affected. Through the task manager I was able to copy the file I needed to a shared folder so that I could use another user to upload the file to rapidshare...and here's the link:http://rs780l3.rapidshare.com/cgi-b...Going to have to head to work soon, so you MIGHT be done with me until tomorrow morning! LOL Thanks so much!Jenny D

Report •

#17
May 28, 2009 at 17:34:09

Report •

#18
May 28, 2009 at 17:44:24
 Oops...copied and pasted the wrong thing.....HER you go!!http://rapidshare.com/files/2383576...Jenny D

Report •

#19
May 28, 2009 at 18:28:25
 Follow these steps in order numbered and don't go to next unless you have successfully done previous step:1) Run this script in AVZ like before. Your computer will reboot.begin SetAVZGuardStatus(True); SearchRootkit(true, true); DeleteService('is-SK2DNdrv'); StopService('is-SK2DNdrv'); QuarantineFile('is-SK2DNdrv.sys',''); QuarantineFile('C:\Documents and Settings\Jenny Donner\Start Menu\Programs\Startup\_uninst_is-SK2DN.exe.bat',''); QuarantineFile('C:\Documents and Settings\Jenny Donner\Start Menu\Programs\Startup\ChkDisk.dll',''); QuarantineFile('C:\DOCUME~1\NETWOR~1\protect.dll',''); QuarantineFile('C:\WINDOWS\system32\autochk.dll',''); QuarantineFile('C:\WINDOWS\system32\DRIVERS\05434815.sys',''); DeleteFile('C:\WINDOWS\system32\DRIVERS\05434815.sys'); DeleteFile('C:\WINDOWS\system32\autochk.dll'); DeleteFile('C:\DOCUME~1\NETWOR~1\protect.dll'); DeleteFile('C:\Documents and Settings\Jenny Donner\Start Menu\Programs\Startup\ChkDisk.dll'); DeleteFile('C:\Documents and Settings\Jenny Donner\Start Menu\Programs\Startup\_uninst_is-SK2DN.exe.bat'); DeleteFile('is-SK2DNdrv.sys'); BC_ImportAll; ExecuteSysClean; BC_Activate; RebootWindows(true); end. 2) After reboot. Attach a Combofix log, please review and follow these instructions carefully.Download it here -> http://download.bleepingcomputer.co...Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.-------------------------------------------------

Report •

#20
May 28, 2009 at 18:40:03
 "I lost all the icons on my desktop and was left with just my wallpaper. It only does it on my name, other computer users are not affected. Through the task manager I was able to copy the file I needed to a shared folder" -- Are the desktop icon's back?? What do you mean by Task manager you were able to copy... windows task manager?? Is your other account admin account or normal user??-------------------------------------------------

Report •

#21
May 29, 2009 at 08:03:30
 OK, here's the link to the combofix log:http://rapidshare.com/files/2385567...Also interesting to note-after running combofix when the computer rebooted...the kaspersky virus removal tool came up!Jenny DTo answer about the task manager thing...first of all...yes, the desktop icons are back. When they had previously disappeared I navigated to the file using windows task manager. The other account is an admin one, but still unable to access MY files, so I had to copy that log folder containing the .zip you needed to a shared folder so that I could access it to upload it to rapidshare--pretty much like driving the scenic route when the main road is shut down! LOL

Report •

#22
May 29, 2009 at 08:18:05
 If the svchost file is the apparent virus, I'd recommend re-installing the operating system. Hope this helps,--Wes

Report •

#23
May 29, 2009 at 08:18:43
 Follow these steps in order numbered. Only move to next step if your successfully completed previous step.1) Run this script in AVZ:begin CreateQurantineArchive('c:\quarantine.zip'); end. 2) A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file. 3) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok.-------------------------------------------------

Report •

#24
May 29, 2009 at 08:33:56
 All 3 of these items are completeThank you!Jenny D

Report •

#25
May 29, 2009 at 08:56:08
 Uninstall AVP tool from Response Number 6. Let me know once you have.-------------------------------------------------

Report •

#26
May 29, 2009 at 09:10:28
 Thanks for the files. Please follow these steps in order numbered and post summary log after each step.1) If you use Windows System restore, turn it off > reboot. How to turn it off/on: http://support.kaspersky.com/faq/?q... Run a full scan with: http://www.eset.eu/online-scanner# Check the box next to YES, I accept the Terms of Use. # Click Start # When asked, allow the activex control to be installed. # Click Start # Check below options: * Remove found threats * Scan unwanted applications. # Click Scan # Wait for the scan to finish # When it finishes it will create a log file here: C:\Program Files\EsetOnlineScanner\log.txt # Attach this logfile to your next message. Note: Turn system restore back on, if you wish; this to remove malware from system volume information files. 2) Install, update and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, but Please Don't fix anything yet, until the log is reviewed.3) Run full scan with your Antivirus. Also at this step your original problem should have been solved. You still have malware problem?4) House cleaning [Optional]. Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.-------------------------------------------------

Report •

#27
May 29, 2009 at 12:16:44
 AVP uninstalledAbout to proceed with the remaining instructions.Jenny D

Report •

#28
May 29, 2009 at 14:16:05
 1)ESETSmartInstaller@High as CAB hook log:OnlineScanner.ocx - registred OK# version=6# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)# OnlineScanner.ocx=1.0.0.5863# api_version=3.0.2# EOSSerial=3715ca510fe0d547b12560b3cee705c0# end=finished# remove_checked=true# archives_checked=false# unwanted_checked=true# unsafe_checked=false# antistealth_checked=false# utc_time=2009-05-29 09:07:13# local_time=2009-05-29 05:07:13 (-0500, Eastern Daylight Time)# country="United States"# lang=9# osver=5.1.2600 NT Service Pack 2# scanned=269670# found=13# cleaned=13# scan_time=6309C:\Documents and Settings\Jenny Donner\Desktop\avz4\Quarantine\2009-05-29\avz00002.dta Win32/Rootkit.Agent.NIZ trojan (cleaned by deleting - quarantined) E9545722B8BB5CD82EC31446EE32C60CC:\Documents and Settings\Jenny Donner\Desktop\avz4\Quarantine\2009-05-29\avz00003.dta Win32/Rootkit.Agent.NIZ trojan (cleaned by deleting - quarantined) E9545722B8BB5CD82EC31446EE32C60CC:\Documents and Settings\Jenny Donner\Desktop\avz4\Quarantine\2009-05-29\avz00004.dta Win32/Rootkit.Agent.NIZ trojan (cleaned by deleting - quarantined) E9545722B8BB5CD82EC31446EE32C60CC:\Documents and Settings\Jenny Donner\My Documents\My Pando Packages\Nero 8 Ultra Edition 8.2.8.0 + Keymaker\Nero-8.2.8.0_eng_trial.exe Win32/Toolbar.AskSBar application (deleted - quarantined) F07E4F200E8B0DBD1E5A91F6B3805B00C:\Documents and Settings\Jenny Donner\My Documents\My Pando Packages\Hidden Secrets The Nightmare.exe probably a variant of Win32/TrojanDownloader.Agent trojan (deleted - quarantined) 06EBD756B9A46BB466C6959B082A2526C:\Documents and Settings\Mark\Local Settings\Application Data\Mozilla\Firefox\Profiles\rsn7ce5s.default\Cache\B7219B0Cd01 a variant of Win32/Kryptik.MD trojan (cleaned by deleting - quarantined) AB758F90C810D02B4D6A0EAB21BAEC41C:\Program Files\Birthday Keeper\Birthday Keeper v7.0.2.124 Keymaker.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 7D1C695C9609E4DB64748453B50E11BCC:\Program Files\Chocolatier 2 - Secret Ingredients\Uninstall.exe probably a variant of Win32/Spy.Agent trojan (cleaned by deleting - quarantined) 453E217D5EFC3E18EA310601136B89B1C:\Program Files\Fashion Fits\Uninstall.exe probably a variant of Win32/Spy.Agent trojan (cleaned by deleting - quarantined) 453E217D5EFC3E18EA310601136B89B1C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 42E47847FB89C2D819330CC3945A25FFC:\Program Files\Super Granny 4\Uninstall.exe probably a variant of Win32/Spy.Agent trojan (cleaned by deleting - quarantined) 453E217D5EFC3E18EA310601136B89B1C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 42E47847FB89C2D819330CC3945A25FFC:\Program Files\Zylom Games\Delicious Deluxe\delicious.dll probably a variant of Win32/Statik application (cleaned by deleting - quarantined) 05A80431EBA4258CEA614F43ADF984B6

Report •

#29
May 30, 2009 at 04:46:49
 2)Malwarebytes' Anti-Malware 1.37Database version: 2193Windows 5.1.2600 Service Pack 25/30/2009 7:45:20 AMmbam-log-2009-05-30 (07-45-08).txtScan type: Full Scan (C:\|)Objects scanned: 332848Time elapsed: 1 hour(s), 23 minute(s), 31 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 3Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:C:\Program Files\MyWaySA (Adware.MyWebSearch) -> No action taken.c:\program files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> No action taken.c:\program files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> No action taken.Files Infected:(No malicious items detected)

Report •

#30
May 30, 2009 at 05:55:51
 Fix what it detects and your malware free.-------------------------------------------------

Report •

#31
May 30, 2009 at 15:41:37
 3) Nothing detected during the scan...seems to be all clear! Thanks SO much for your help on this issue, I really appreciate it!!Also, I was wondering where the appropriate place would be to post for assistance with this next thing: my computer is running pretty slow. I am sure the registry is probably pretty full of useless crap. Where would I post for assitance in cleaning this out?Thanks again--you've been great!!Jenny D

Report •

#32
May 30, 2009 at 16:24:39
 Run: http://onecare.live.com/site/en-Us/... and http://onecare.live.com/site/en-Us/...-------------------------------------------------

Report •

#33
May 30, 2009 at 19:25:57